You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

I'm the Webmaster and all-around IT support person for a small company, and one of our employees managed to get her computer infected with the Rovnix.D Trojan (among others, but MSE and Malwarebyte's Anti-Malware are not detecting them anymore). Other infections that popped up before were Kelihos.F, an Obfuscator variant, Detplock, FakeRean, Trojan.FakeFlash.ED, and Exploit:Java/CVE-2013-0422.

This computer is a Dell Vostro with Win7 Pro and XP Mode. I began by removing FrostWire, a suspicious IE toolbar, and some other junk software that I came across. I also uninstalled Chrome, so IE 10.0.0.7 is the only browser on the machine.

I've run several anti-malware/anti-virus scanners and none have been able to remove Rovnix.D. I have a couple of the most recent MBAM log files that showed infections - subsequent scans have come up clean. I also took screen shots of MBAM Quarantine list as well as MSE showing Rovnix infection. If those will be of any use, let me know.

I would like to get this resolved as quickly as possible, preferably without re-installing the OS, as this is the machine for our Receptionist/Bookkeeper. I do understand that this will be a long process and that the mods are very busy (and underpaid). Thank you in advance for any help anyone can offer on this.

My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:

Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.

If you do not understand any step(s) provided, please do not hesitate to ask before continuing.

Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".

In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.Please download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

Put a checkmark beside loaded modules.

A reboot will be needed to apply the changes. Do it.

TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

Then click on Change parameters in TDSSKiller.

Check all boxes then click OK.

Click the Start Scan button.

The scan should take no longer than 2 minutes.

If a suspicious object is detected, the default action will be Skip, click on Continue.

If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.

Close any open windows, including this one.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help youshould your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::TdssKiller logCombofix.txtHow is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

If I have helped you, consider making a donation to help me continue the fight against Malware!Just click

How is your machine running now?
ComboFix did not resart the computer after completing and displaying log file. Upon opening IE, two security dialogs appeared stating, "You are about to leave a secure internet connection. It will be possible for others to view the information you send." I closed these with the red 'X' in the upper right corner. I have not re-activated MSE real-time protection, which generally gives me a green message box saying that detected items are being cleaned. Please let me know if I should turn on real-time protection again, or wait until the removal process is marked as complete. No BSOD has been encountered yet, but I will update this thread if one occurs.
***Please note: I will be unable to respond to this thread after 2:30PM U.S. Central Time today. I will return to work on Monday, August 5th at 8:00AM U.S. Central Time. Please do not close this thread in the meantime. Thank You - Adam

**UPDATE: After closing all programs, numerous background processes seem to spawn - indicated by quick flashes of indistinguishable program windows. Checking Task Manager, several IE processes are spawning and persisting. Half are iexplore.exe, using 5-7k memory, the other half are iexplore.exe *32, using 60-125k memory. Current count is 6 iexplore/iexplore *32 processes.

Upon reboot after ComboFix ran, I tried opening several programs (IE, Windows Explorer, TDSSKiller) and was met with the same messages each time:

"Illegal operation attempted on a registry key that has been marked for deletion." [OK button]

Next dialog was: "Can't open this item. It might have been moved, renamed, or deleted. Do you want to remove this item? [YES] [NO] - I chose NO each time.

I was able to run these programs by searching for them in the Start Menu and then choosing 'Run As Administrator'. Did so to run TDSSKiller as instructed. After rebooting as prompted by TDSSKiller, the program ran, finding no infections. Have since been able to open programs normally.

Programs seem to be running normally, and have not experienced any BSODs lately, but then again, I am not able to continuously monitor this computer, and have advised the usual user to work on another PC. Each time I have come to check this PC I have awakened it from sleep mode, I presume.

I turned MSE real-time protection back on. Running a quick scan found nothing. Rebooted PC and MSE said "detected threats are being cleaned." MSE History log (All Detected Items) shows Rovnix.D being 'Quarantined' numerous times - the most recent of which are today (8/6) at 10:20 AM, 1:51 PM and 1:52 PM. Exploit:Java/CVE-2013-1493 was also 'Quarantined' at 10:20 AM today.

It seems odd that MSE was able to quarantine these items this morning, since I only JUST enabled real-time protection minutes before writing this update.